Forum Discussion

gpoverland's avatar
gpoverland
Icon for Nimbostratus rankNimbostratus
Feb 03, 2016

F5 iRule Example integrating HMAC

I currently utilize a static key value to create a custom encrypted cookie to validate user session authenticity via cookie values. I would like to move over to using an HMAC solution, but having iss...
iRules
LTM
security
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Feb 05, 2016

Haha... thats is a good one. You've asking for pre-11.x support and I recommend stuff for +11.4... -.-

Well you could simply copy the contained [proc] code into your main iRule (as often you need) and simply set $message $prekey and $hmac in front of and rewrite the [return] part to become an addition variable.

If this clutters your iRule code to much, then use TCL marcos by storing the code into $static::variables and [eval] them as needed. See below...

 

when RULE_INIT {

    set static::crypto_sign {

        set bsize 64
        if { [string length $prekey] > $bsize } {
            set key [sha256 $prekey]
        } else {
            set key $prekey
        }

        set ipad ""
        set opad ""
        for { set j 0 }{ $j < [string length $key] }{ incr j }{
            binary scan $key @${j}H2 k
            set o [expr 0x$k ^ 0x5c]
            set i [expr 0x$k ^ 0x36]
            append ipad [format %c $i]
            append opad [format %c $o]
        }
        for { }{ $j < $bsize }{ incr j }{
            append ipad 6
            append opad \\
        }

        set token [sha256 $opad[sha256 "${ipad}${message}"]]

        binary scan $token H* hmac_output

        }

    set static::crypto_verify {

        set bsize 64
        if { [string length $prekey] > $bsize } {
            set key [sha256 $prekey]
        } else {
            set key $prekey
        }

        set ipad ""
        set opad ""
        for { set j 0 }{ $j < [string length $key] }{ incr j }{
            binary scan $key @${j}H2 k
            set o [expr 0x$k ^ 0x5c]
            set i [expr 0x$k ^ 0x36]
            append ipad [format %c $i]
            append opad [format %c $o]
        }
        for { }{ $j < $bsize }{ incr j }{
            append ipad 6
            append opad \\
        }

        set token [sha256 $opad[sha256 "${ipad}${message}"]]

        binary scan $token H* hmac_output

        if { $hmac_output eq $hmac_input } then {
            set hmac_valid 1
        } else {
            set hmac_valid 0
        }
    }
}   
when HTTP_REQUEST {

     Sign

    set message "hallo world"
    set prekey "1234"

    eval $static::crypto_sign

    log -noname local0. "HMAC Code is = $hmac_output"

     Validate

    set message "hallo world"
    set prekey "1234"
    set hmac_input $hmac_output

    eval $static::crypto_verify

    log -noname local0. "HMAC Code verified = $hmac_valid"

}

 

Note: I've changed a little the $variable name to avoid conflicts. But didn't tested (nor saved) the code at all. Hope this works still out for you. If not, then complain and I will take another look for you on monday...

Cheers, Kai